jpayne@68: .\" Man page generated from reStructuredText. jpayne@68: . jpayne@68: .TH "KINIT" "1" " " "1.20.1" "MIT Kerberos" jpayne@68: .SH NAME jpayne@68: kinit \- obtain and cache Kerberos ticket-granting ticket jpayne@68: . jpayne@68: .nr rst2man-indent-level 0 jpayne@68: . jpayne@68: .de1 rstReportMargin jpayne@68: \\$1 \\n[an-margin] jpayne@68: level \\n[rst2man-indent-level] jpayne@68: level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: - jpayne@68: \\n[rst2man-indent0] jpayne@68: \\n[rst2man-indent1] jpayne@68: \\n[rst2man-indent2] jpayne@68: .. jpayne@68: .de1 INDENT jpayne@68: .\" .rstReportMargin pre: jpayne@68: . RS \\$1 jpayne@68: . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] jpayne@68: . nr rst2man-indent-level +1 jpayne@68: .\" .rstReportMargin post: jpayne@68: .. jpayne@68: .de UNINDENT jpayne@68: . RE jpayne@68: .\" indent \\n[an-margin] jpayne@68: .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .nr rst2man-indent-level -1 jpayne@68: .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .in \\n[rst2man-indent\\n[rst2man-indent-level]]u jpayne@68: .. jpayne@68: .SH SYNOPSIS jpayne@68: .sp jpayne@68: \fBkinit\fP jpayne@68: [\fB\-V\fP] jpayne@68: [\fB\-l\fP \fIlifetime\fP] jpayne@68: [\fB\-s\fP \fIstart_time\fP] jpayne@68: [\fB\-r\fP \fIrenewable_life\fP] jpayne@68: [\fB\-p\fP | \-\fBP\fP] jpayne@68: [\fB\-f\fP | \-\fBF\fP] jpayne@68: [\fB\-a\fP] jpayne@68: [\fB\-A\fP] jpayne@68: [\fB\-C\fP] jpayne@68: [\fB\-E\fP] jpayne@68: [\fB\-v\fP] jpayne@68: [\fB\-R\fP] jpayne@68: [\fB\-k\fP [\fB\-i\fP | \-\fBt\fP \fIkeytab_file\fP]] jpayne@68: [\fB\-c\fP \fIcache_name\fP] jpayne@68: [\fB\-n\fP] jpayne@68: [\fB\-S\fP \fIservice_name\fP] jpayne@68: [\fB\-I\fP \fIinput_ccache\fP] jpayne@68: [\fB\-T\fP \fIarmor_ccache\fP] jpayne@68: [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]] jpayne@68: [\fB\-\-request\-pac\fP | \fB\-\-no\-request\-pac\fP] jpayne@68: [\fIprincipal\fP] jpayne@68: .SH DESCRIPTION jpayne@68: .sp jpayne@68: kinit obtains and caches an initial ticket\-granting ticket for jpayne@68: \fIprincipal\fP\&. If \fIprincipal\fP is absent, kinit chooses an appropriate jpayne@68: principal name based on existing credential cache contents or the jpayne@68: local username of the user invoking kinit. Some options modify the jpayne@68: choice of principal name. jpayne@68: .SH OPTIONS jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-V\fP jpayne@68: display verbose output. jpayne@68: .TP jpayne@68: \fB\-l\fP \fIlifetime\fP jpayne@68: (duration string.) Requests a ticket with the lifetime jpayne@68: \fIlifetime\fP\&. jpayne@68: .sp jpayne@68: For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&. jpayne@68: .sp jpayne@68: If the \fB\-l\fP option is not specified, the default ticket lifetime jpayne@68: (configured by each site) is used. Specifying a ticket lifetime jpayne@68: longer than the maximum ticket lifetime (configured by each site) jpayne@68: will not override the configured maximum ticket lifetime. jpayne@68: .TP jpayne@68: \fB\-s\fP \fIstart_time\fP jpayne@68: (duration string.) Requests a postdated ticket. Postdated jpayne@68: tickets are issued with the \fBinvalid\fP flag set, and need to be jpayne@68: resubmitted to the KDC for validation before use. jpayne@68: .sp jpayne@68: \fIstart_time\fP specifies the duration of the delay before the ticket jpayne@68: can become valid. jpayne@68: .TP jpayne@68: \fB\-r\fP \fIrenewable_life\fP jpayne@68: (duration string.) Requests renewable tickets, with a total jpayne@68: lifetime of \fIrenewable_life\fP\&. jpayne@68: .TP jpayne@68: \fB\-f\fP jpayne@68: requests forwardable tickets. jpayne@68: .TP jpayne@68: \fB\-F\fP jpayne@68: requests non\-forwardable tickets. jpayne@68: .TP jpayne@68: \fB\-p\fP jpayne@68: requests proxiable tickets. jpayne@68: .TP jpayne@68: \fB\-P\fP jpayne@68: requests non\-proxiable tickets. jpayne@68: .TP jpayne@68: \fB\-a\fP jpayne@68: requests tickets restricted to the host\(aqs local address[es]. jpayne@68: .TP jpayne@68: \fB\-A\fP jpayne@68: requests tickets not restricted by address. jpayne@68: .TP jpayne@68: \fB\-C\fP jpayne@68: requests canonicalization of the principal name, and allows the jpayne@68: KDC to reply with a different client principal from the one jpayne@68: requested. jpayne@68: .TP jpayne@68: \fB\-E\fP jpayne@68: treats the principal name as an enterprise name. jpayne@68: .TP jpayne@68: \fB\-v\fP jpayne@68: requests that the ticket\-granting ticket in the cache (with the jpayne@68: \fBinvalid\fP flag set) be passed to the KDC for validation. If the jpayne@68: ticket is within its requested time range, the cache is replaced jpayne@68: with the validated ticket. jpayne@68: .TP jpayne@68: \fB\-R\fP jpayne@68: requests renewal of the ticket\-granting ticket. Note that an jpayne@68: expired ticket cannot be renewed, even if the ticket is still jpayne@68: within its renewable life. jpayne@68: .sp jpayne@68: Note that renewable tickets that have expired as reported by jpayne@68: klist(1) may sometimes be renewed using this option, jpayne@68: because the KDC applies a grace period to account for client\-KDC jpayne@68: clock skew. See krb5.conf(5) \fBclockskew\fP setting. jpayne@68: .TP jpayne@68: \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] jpayne@68: requests a ticket, obtained from a key in the local host\(aqs keytab. jpayne@68: The location of the keytab may be specified with the \fB\-t\fP jpayne@68: \fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use jpayne@68: of the default client keytab; otherwise the default keytab will be jpayne@68: used. By default, a host ticket for the local host is requested, jpayne@68: but any principal may be specified. On a KDC, the special keytab jpayne@68: location \fBKDB:\fP can be used to indicate that kinit should open jpayne@68: the KDC database and look up the key directly. This permits an jpayne@68: administrator to obtain tickets as any principal that supports jpayne@68: authentication based on the key. jpayne@68: .TP jpayne@68: \fB\-n\fP jpayne@68: Requests anonymous processing. Two types of anonymous principals jpayne@68: are supported. jpayne@68: .sp jpayne@68: For fully anonymous Kerberos, configure pkinit on the KDC and jpayne@68: configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&. jpayne@68: Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP jpayne@68: (an empty principal name followed by the at\-sign and a realm jpayne@68: name). If permitted by the KDC, an anonymous ticket will be jpayne@68: returned. jpayne@68: .sp jpayne@68: A second form of anonymous tickets is supported; these jpayne@68: realm\-exposed tickets hide the identity of the client but not the jpayne@68: client\(aqs realm. For this mode, use \fBkinit \-n\fP with a normal jpayne@68: principal name. If supported by the KDC, the principal (but not jpayne@68: realm) will be replaced by the anonymous principal. jpayne@68: .sp jpayne@68: As of release 1.8, the MIT Kerberos KDC only supports fully jpayne@68: anonymous operation. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fB\-I\fP \fIinput_ccache\fP jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: Specifies the name of a credentials cache that already contains a jpayne@68: ticket. When obtaining that ticket, if information about how that jpayne@68: ticket was obtained was also stored to the cache, that information jpayne@68: will be used to affect how new credentials are obtained, including jpayne@68: preselecting the same methods of authenticating to the KDC. jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-T\fP \fIarmor_ccache\fP jpayne@68: Specifies the name of a credentials cache that already contains a jpayne@68: ticket. If supported by the KDC, this cache will be used to armor jpayne@68: the request, preventing offline dictionary attacks and allowing jpayne@68: the use of additional preauthentication mechanisms. Armoring also jpayne@68: makes sure that the response from the KDC is not modified in jpayne@68: transit. jpayne@68: .TP jpayne@68: \fB\-c\fP \fIcache_name\fP jpayne@68: use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache jpayne@68: location. If this option is not used, the default cache location jpayne@68: is used. jpayne@68: .sp jpayne@68: The default cache location may vary between systems. If the jpayne@68: \fBKRB5CCNAME\fP environment variable is set, its value is used to jpayne@68: locate the default cache. If a principal name is specified and jpayne@68: the type of the default cache supports a collection (such as the jpayne@68: DIR type), an existing cache containing credentials for the jpayne@68: principal is selected or a new one is created and becomes the new jpayne@68: primary cache. Otherwise, any existing contents of the default jpayne@68: cache are destroyed by kinit. jpayne@68: .TP jpayne@68: \fB\-S\fP \fIservice_name\fP jpayne@68: specify an alternate service name to use when getting initial jpayne@68: tickets. jpayne@68: .TP jpayne@68: \fB\-X\fP \fIattribute\fP[=\fIvalue\fP] jpayne@68: specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be jpayne@68: interpreted by pre\-authentication modules. The acceptable jpayne@68: attribute and value values vary from module to module. This jpayne@68: option may be specified multiple times to specify multiple jpayne@68: attributes. If no value is specified, it is assumed to be "yes". jpayne@68: .sp jpayne@68: The following attributes are recognized by the PKINIT jpayne@68: pre\-authentication mechanism: jpayne@68: .INDENT 7.0 jpayne@68: .TP jpayne@68: \fBX509_user_identity\fP=\fIvalue\fP jpayne@68: specify where to find user\(aqs X509 identity information jpayne@68: .TP jpayne@68: \fBX509_anchors\fP=\fIvalue\fP jpayne@68: specify where to find trusted X509 anchor information jpayne@68: .TP jpayne@68: \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] jpayne@68: specify use of RSA, rather than the default Diffie\-Hellman jpayne@68: protocol jpayne@68: .TP jpayne@68: \fBdisable_freshness\fP[\fB=yes\fP] jpayne@68: disable sending freshness tokens (for testing purposes only) jpayne@68: .UNINDENT jpayne@68: .TP jpayne@68: \fB\-\-request\-pac\fP | \fB\-\-no\-request\-pac\fP jpayne@68: mutually exclusive. If \fB\-\-request\-pac\fP is set, ask the KDC to jpayne@68: include a PAC in authdata; if \fB\-\-no\-request\-pac\fP is set, ask the jpayne@68: KDC not to include a PAC; if neither are set, the KDC will follow jpayne@68: its default, which is typically is to include a PAC if doing so is jpayne@68: supported. jpayne@68: .UNINDENT jpayne@68: .SH ENVIRONMENT jpayne@68: .sp jpayne@68: See kerberos(7) for a description of Kerberos environment jpayne@68: variables. jpayne@68: .SH FILES jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: .B \fBFILE:/tmp/krb5cc_%{uid}\fP jpayne@68: default location of Kerberos 5 credentials cache jpayne@68: .TP jpayne@68: .B \fBFILE:/etc/krb5.keytab\fP jpayne@68: default location for the local host\(aqs keytab. jpayne@68: .UNINDENT jpayne@68: .SH SEE ALSO jpayne@68: .sp jpayne@68: klist(1), kdestroy(1), kerberos(7) jpayne@68: .SH AUTHOR jpayne@68: MIT jpayne@68: .SH COPYRIGHT jpayne@68: 1985-2022, MIT jpayne@68: .\" Generated by docutils manpage writer. jpayne@68: .